Eavesdropper's Optimal Information in Variations of Bennett-Brassard 1984 Quantum 

Key Distribution in the Coherent Attacks 

Won Young Hwang], Doyeol (David) AhntO, and Sung Woo Hwango 

Institute of Quantum Information Processing and Systems, 

University of Seoul, 90 Jeonnong, Tongdaemoon, Seoul 130-743, Korea 

We calculate eavesdropper's optimal information on raw bits in Bennett-Brassard 1984 quantum 
key distribution (BB84 QKD) and six-state scheme in coherent attacks, using a formula by Lo 
and Chau [Science 283, 2050 (1999)] with single photon assumption. We find that eavesdropper's 
optimal information in QKD without public announcement of bases [Phys. Lett. A 244(1998), 489] 
is the same as that of a corresponding QKD with it in the coherent attack. We observe a sum-rule 
concerning each party's information. 
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Information processing with quantum systems is an interesting field both theoretically and practically. It may 
innovate our fundamental conceptions on our world [nl. And it is superior to its classical counterpart in some cases: 
computing with quantum bits (qubits) enables factoring large numbers f2j,|3j, which has remained intractable with 
classical computers and algorithms. In quantum key distribution (QKD) pj- [E6[, it is possible for two legitimate 
\£i users Alice and Bob to distribute keys with security that quantum mechanical laws afford. 

Security of QKD had been (tentatively) accepted on the basis of the no-cloning theorem P7LB8] and it might be 
the first practical quantum information processor j26(. However it is only recently that its unconditional security is 
proved p2[- p5fl. Since the original work |5|, more and more sophisticated attacks have been considered: intercept- 
resend strategy with orthogonal measurement in general bases, attacks with generalized (or positive operator valued) 
measurements, and the most general coherent (collective or joint) attacks where all qubits are coherently treated as a 
whole quantum system were considered in Refs. |12|, |ll|- |l^], and |19|- |2J|, respectively. One of the reasons making 
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the proof complicated is that there is inevitable residual noise in real quantum channel. And the natural noise cannot 
be discriminated from what Eavesdropper's (Eve's) tapping on the channel causes. Thus raw bits must be processed 
in such a way so that Eve has essentially zero information about the final corrected bits. This might be done cither 
quantum or classical information processing. In the former case, errors are removed by quantum error correcting 
codes or purification protocol |29|. In the latter case, errors are corrected with certain classical error correcting codes. 



Q H , In particular, in case of Ref. p5| classical error correction codes associated with Calderbank-Shor-Steane [BO 31 
quantum error correcting codes are used. The security of the method against coherent attacks are proved in Refs. 
p2|, p3,E5[. However, before such elegant proofs were given, Eve's optimal information on raw bits for various attacks 
^^ ■ were estimated |12j- |17| for classical privacy amplification, where Eve's information is deleted. Although it is not 
rigorously proven such methods are secure against coherent attacks, it seems to be so for almost practical purposes 
and thus the security of such methods had been widely accepted. However, the estimations have been confined to 
individual attacks where each qubit is separately treated [JT3]- ]l7| ]. Estimating Eve's optimal information in coherent 
attacks was in itself an interesting and unsolved problem until formulas for it are given recently |23,p4j. Thus it is 
worthwhile to have explicit estimation of it. In this paper, we calculate Eve's optimal information about raw bits in 
BB84, six-state schemes in the coherent attack using the formula given by Lo and Chau p3|, with single photon (or 
quantum) assumption. Then we consider multiple-basis scheme where a number of bases are adopted: we find Eve's 
optimal information in multiple-basis scheme is the same as that of six-state scheme. We consider another variation 
of BB84 scheme, QKD without public announcement of bases H|. We argue the formula is also valid for it. We also 
find Eve's optimal information in it is the same as that of a corresponding QKD with public announcement of bases. 
We observe that sum of mutual information between Alice and Bob, and Eve's information is constant in the case of 
BB84 scheme. 

II. FORMULA FOR EAVESDROPPER'S OPTIMAL INFORMATION 



Derivation of the formula for Eve's optimal information I Eve in Eq. (|2.8D is briefly discussed in Ref. |23|. In 



this section, we give a more detailed derivation of the formula in a self-consistent manner. The entanglement-based 



schemes |J7| can be reduced to BB84-like scheme pj. Thus I Eve in entanglement-based scheme which we calculate is 
the same as that in BB84-like scheme. First we introduce entanglement-based scheme. With the convention of Refs. 
JHH, the Bell basis vectors |*±) (= |01) ± |10}) and |$ ± ) (= |00) ± |11}) are represented by two classical bits, Q 

|$+} = 66, |* + } = 6l, |$-) = io, |*-) = 11. (2.1) 

Eve is supposed to prepare a state \^>~) <g> l^ - ) ® • • • <8> |*~), if she does it honestly. But she may prepare other state 
most generally 



E 



E 



Oi tl ,i 2 ,-,i N .j\ii,i2, ■ ■ -Jn) ® |j), (2.2) 



where ik denotes the state of the fc-th pair, which runs from 66 to 11, QZi 1 ,i 2 ,»-,i N ,j , s are some complex coefficients, 
and the \j) values form an orthonormal basis for the ancilla. Eve gives this state to Alice and Bob, the two legitimate 
participants who will secretly exchange messages. On each particle, they independently and randomly performs 
measurements among S z (orthogonal measurement composed of two projection operators |0)(0| and |1)(1|), S x (that 
of 1 0> <0 1 and |1)(1|), and S y (that of |0)(0| and |1)(1|), where |0) = |0) + |1), |1) = |0) - |1) and |0) = |0) + i|l), 
|1) = |0) — i|l). Then Alice and Bob compare their bases by public discussion and they discard their data of the 
case where the bases are not matched. Then Alice and Bob publicly announce some randomly chosen subsets of 
remaining data. They count the number N para of the case where the results are the same and the number N ant i of 
the case where the results are opposite. Alice and Bob calculate Eve's optimal information I^ve about their results 
as a function of error rate D = N para /(N para + N ant i). When D is too high, they abort the protocol and restart it. 
Otherwise, they process the raw bits (the data) into final key about which Eve has essentially zero information. This 
completes a description on entanglement-based scheme. 

Now, let us consider Eve's optimal information. Roug hly speaking, the higher the error rate D becomes, the more 



states other than 'J are contained in the state of Eq. (2.2). Thus the entropy of reduced de nsity operator of Alice 



and Bob's qubits become higher and Eve can extract more information on the bits (see Eq. ( |2.7| )). More precisely, 
first note the following equivalences. 



|00)<00| + |11)<11| = 


!$+)($+! + !$-)($- 


|00)(00| + |11)(11| = 


!$+)($+! + l^+)(*+ 


|00)(00| + |11)(11| = 


|$->($-| + !*+>(*+ 



(2.3) 

This means that the error rate D that Alice and Bob estimate from their measurements on qubits in z, x, and y basis 
are the same as they would have estimated using the Bell basis measurement J25[. So we may estimate D using the 
Bell basis measurement. Let us consider the state. Assume that Eve had performed Bell basis measurement on all 
qubits in the state and then sent them to Alice and Bob. f] Then Alice and Bob perform Bell basis measurement 
on some subsets of the qubits, according to the scheme. After Eve did the pre-measurement, the state reduces to a 
mixed state 

P= E ^i,ij,-wl'ii'2i' ' ■^N){k,iir ■ •jijvl, (2.4) 

where P h . l2 . ...,i N = 2J \^i 1 .z 2 . / --., lN , ] \ 2 - (2.5) 

3 

However, in this case Eve's and [Alice+Bob] 's measurements have common eigenvectors (the Bell basis), and thus 



Eve's pre-measurement do not change statistics of 



Alicc+Bob]'s later measurement. So we may do our estimation of 



D for the mixed state in Eq. (2.4) instead of Eq. (2.2). Then D for the state is given by the following 



D= ^2 P lul2 ,..., tN D(i 1 ,i 2 ,- ■ -,i N ), (2.6) 



In this paper obvious normalization constants are omitted. It is noted that one should never think of the Bell basis vectors 
as direct product state since they are maximally entangled. 

2 One should not regard Eve as doing the measurement in the real protocol. It is here a hypothetical one for making the 
estimation easier. Alice and Bob's measurement is real and thus perturbs the state. However, it does not matter here because 
their measurement is local process which does not increase entanglement between them and Eve. 



where D(ii,i2,- ■ -^n) is error rate that the state \ii,i2,- ■ - ,2jv) induces. D( ii, i i, ■ ■ -,In) depends on the way of 



checking errors in schemes and will be calculated in next section. Using Eq. (2J3), we can calculate expected error 
rate D for a state with a certain (Xi 1> i a> ... > i N> j's. 
On the other hand, 

lEve < S(pab), (2.7) 

where S is the von Neumann entropy and pab = TrE„ e |u)(u| (see Lemma 2 of the supplementary material of Ref. 
p3|). There are numerous sets of aj 1 ,i 2 ,.-,i JVJ - that give rise to a certain error rate D. What Eve has to do is 
maximizing her information for a certain error rate D. Thus she has to choose one among the sets of ai 1] i 2] ... ] i JVJ - 
which give maximal entropy. By inspection, we can see the maximal entropy is obtained when all \ii, i 2 , ■ ■ •, i^} giving 
the error rate D are prepared with equal probability Pi lt i 2 ,--,i N - Then we have 

lEve<- ^2 P ii,i2,-,iN^°E Pii,i 2 ,-,ii<f = log ft, (2.8) 

where Q is the number of distinct \i\, 12, ■ ■ •, Jjv)s giving an error rate D. (In this paper log = log 2 .) 

III. OPTIMAL INFORMATION IN BB84, SIX-STATE AND MULTIPLE-BASIS SCHEME 

First we calculate I Eve of BB84 scheme: let us calculate D(ii, 12, ■ ■ •, «at) for the scheme, where Alice and Bob check 
errors by either |00)(00| + |11)(11| or |00)(00| + |11)(11|. So probability that \^f~), |$~), |*+), and |$+) are detected 
in error checking are 0, 1/2, 1/2, and 1, respectively, by Eq. (|2.3|). Thus, 



D{i ll i 2l ---,i N ) = -{- + C - + d), (3.1) 

where a,6,c,and d are the number of elements of the set A = {ikUk = 11}, B = {ik\ik = 10}, C = {ik\ik — 01}, and 



D = {ik\ik = 66}, respectively (fc=l,2,...,N). We note that Eq. (3.1) is statistically satisfied only when Eve does not 
know the encoding bases while she has access to the qubits: if she knows which pairs of qubits will be chosen for 
estimation of the error rate D, she can cheat by sending ^ _ for all the chosen pairs while sending one of the four Bell 
states for other pairs. In order to give an error rate D, 

D(i t ,i 2 , ■ ■ ;i N ) = 1(| + I + d) = D. (3.2) 

The number Q of i 1; i 2 , • • •, JjyS that satisfies Eq. ( |3.2| ) is given by 

±{b+c)+d=D 

Among many summed terms, £1 is dominated by maximal (typical) one. Thus we obtain 

log n = Max {-(a log -^ + b log — + c log -^ + d log -)} (3.4) 



By inspection, we can see that the maximum is obtained when b = c. Then with Eq. (3.2) 



log ft = Max {{N - 2ND + d) log - ™ D + - + 2{ND - d) log N ° N - + d log ^)}. (3.5) 

The maximum is obtained when the term's differential is zero or d = ND 2 . 

log Q = -N{(1 -2D + D 2 ) log(l -2D + D 2 ) + 2{D - D 2 ) \og{D - D 2 ) + D 2 logD 2 }. (3.6) 



Before comparing it with Ievb for incoherent attacks (Eq. (65) of Ref. |17|), our Ievc should be divided by 2N since 
it is the information about N pairs of particles. Then, 

Ievc < --{(1 -2D + D 2 ) log(l -2D + D 2 ) + 2{D - D 2 ) log(D - D 2 ) + D 2 \ogD 2 }, 

= -[D\ogD + (l-D) log(l - £>)] . (3.7) 



Eq. (3.7) is plotted in Fig. 1 among others. 



Next we calculate Ievc of the six-state scheme [hOl in the same way: in the scheme pOfl one of the three measurements 



in Eq. (2.3) is performed with equal probabilities. So we obtain 



In order to give an error rate D, 



AT3 3 3 
The maximum is obtained when b = c = d = ND/2. Then, 



D(i u ia,-- ;iN) = ^(g & + g c + ^ d )- (3-8) 



12 2 2 
T-Aob+-c+-d)=D. (3.9) 



lEve < -i{(l - \d) log(l - |D) + |D log|}. (3.10) 



As we see in Fig. 1, /B„ e of Eq. ( 3.10 ) is lower than that of Eq. (3.8), which means that the six-state scheme is more 
advantageous than the BB84 scheme in the case of coherent attacks, too. 

Now we address the multiple-basis scheme. In the scheme many bases are adopted while two and three bases are 
adopted in the BB84 and six-state scheme, respectively. We assume the bases are uniformly distributed on the Bloch 
sphere. (Schemes with non-uniform distributions do not seem to be more advantageous than the uniform one.) It is 
shown in Ref. pi that the multiple basis scheme does not give more security than the six-state scheme within the 
individual attack. So we can expect that this is the case in the coherent attack. Here we show that the multiple-basis 
scheme is indeed no more advantageous than the six-state scheme in the coherent attack: let us compute the average 
probability p that a Bell state induces parallel result when they are measured in one of the many bases uniformly 
distributed on the Bloch sphere. We can easily see that p(\^f~)) = since "J - ) induces only anti-parallel results for 
any basis. We can also see 

P (\$-))=Jp(\$-),d)dn = J\m 2 e s -^-d6 = ~, (3.ii) 

where p(|$ - ),0) is the probability density that \$~) induces parallel results for a measurement along a basis that 
makes an angle 9 with z axis and f2 is the solid angle. In a similar way, 

MI* + »=MI* + )) = i (3-12) 



Thus for the multiple-basis scheme we have the same equation as Eq. (3.9). Accordingly, I Eve of this scheme is 
the same as that of six-state scheme. We can also consider a multiple-basis scheme where the bases are uniformly 
distributed in z — x plane. We can also show in a similar way that this multiple basis scheme in the plane is no more 
advantageous than the BB84 scheme: 

p(|*-» = 0, p(|*-))=p(|*+)) = i [* sin 2 6d9 = I, p(|* + » = l. (3.13) 

n Jo 2 



IV. OPTIMAL INFORMATION IN QKD WITHOUT PUBLIC ANNOUNCEMENT OF BASES 

Here we show that I Eve of QKD without public announcement of bases [O is the same as that of a corresponding 
one with public announcement of bases. Let us consider a scheme corresponding to BB84 pi. In the scheme, Eve 
knows which and which qubits are encoded in the same basis while she does not know which basis between z and x 
they are. In this case the probability that Eve will make a right guess of the encoding bases is still 1/2, which is the 



same as that in the case of BB84 scheme. Thus Eq. (3.1) is also valid and later procedures for calculation of Ie v 



are the same as that of BB84 scheme. So I Eve of QKD without public announcement of bases is the same as that of 
BB84 scheme. The idea of QKD without public announcement of bases are straitforwardly applied to the six-state 
scheme. And we can see that lEve of the six-state QKD without public announcement of bases is the same as that 
of the six-state scheme with it. However, if Ievc of both schemes are the same, we can say that QKD without public 
announcement of bases is more advantageous than either BB84 scheme or six-state scheme: while in either BB84 
scheme or six-state scheme full information about the encoding bases are given to Eve after the qubits have arrived at 
Bob, in QKD without public announcement of bases only partial information (which and which are the same basis) 
about the encoding bases are given to Eve. To summarize this section, these facts suggest that QKD without public 
announcement of bases is at least as secure as cither BB84 or six-state scheme even in coherent attacks. 



V. DISCUSSION AND CONCLUSION 



It is interesting that the sum of Ievc of BB84 scheme in Eq. (3.7) and 

I AB = l + D\ogD + {l-D)\og{l-D) (5.1) 

is constant. That is, 

I Ev c+Iab = 1- (5.2) 

This indicates something is conserved. Roughly speaking, QKD could be interpreted by the quantum information 
conservation^ since the total quantum information that Alice have sent is conserved, the more quantum information 
Eve gets, the less quantum information given to Bob. It should be noted that the results for I Eve m this paper are 
asymptotically valid in the limit when the number of employed qubits become large. 

In conclusion, we have calculated eavesdropper's optimal information Ieve on raw bits in BB84 and six-state scheme 
in coherent attacks, using the formula (Eq. fl2.8Q ) by Lo and Chau p3[ , assuming single quantums are used. We have 
shown that lEve in multiple-basis scheme is the same as that of six-state scheme. We have considered QKD without 
public announcement of bases pd| ] : we found that I Eve in it is the same as that of a corresponding QKD with public 
announcement of bases in the coherent attacks. This fact suggests that QKD without public announcement of bases 
is as secure as either BB84 or six-state scheme in coherent attacks, too. We observed that Ievc + Iab = 1 in the case 
of BB84 scheme. 
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FIGURE CAPTION: 

the solid line (the upper one): I Eve in BB84 scheme, Eq. (3.7) 

the clotted line (the middle one): I Eve in six-state scheme, Eq. (3.10) 

the dot-dashed line (the lower one): Eq. (65) of Ref. ttM 

the dashed line: Iab, Eq. (5.1) 



